In October, RiskIQ discovered what we believe to be a new Magecart skimmer placed on several e-commerce sites, including websites for the well-known hair treatment company Bosley and the Chicago Architecture Center (CAC), one of Chicago's largest cultural organizations. The skimmer was or has been on both these sites for several months.
RiskIQ researchers have dubbed the skimmer used in these attacks "Meyhod," after a mistyped function in the skimming code. Meyhod itself is simple compared to the Magecart skimmers we've recently analyzed, such as the new variant of the Grelos skimmer and the Ant and Cockroach skimmer. However, Meyhod is carefully crafted to blend in with victim sites' appearance and functions, indicating experienced Magecart operators wield it.
The Meyhod operators obfuscate their skimmer logic by splitting it across more than a dozen functions, through which the control flow of the code jumps. One of these functions, `deflateMeyhod,` lends this skimmer its name due to the apparent typo of `deflateMethod.` Another, "saveData," tries to get credit card data via jQuery selectors.
Elements of the skimmer code vary across different victim sites, with operators appearing to tailor them to match those used by each victim site. The skimmed data is encoded using custom functions before it is sent off to the attacker-owned server by an AJAX POST request.
So far, we have not tied the Meyhod skimmer to a particular group, as we have not observed an overlap between domains associated with it and other Magecart activity. The infrastructure hosting the skimmer also does not provide clear indicators. Alibaba hosts much of its infrastructure, but so many Magecart groups rely on Alibaba-hosted infrastructure that it's an indiscernible trait.
Meyhod points to the ever-evolving and expanding Magecart landscape encompassing theft of payment information via compromised e-commerce websites. Though simple in its construction, it's dangerously effective and has managed to remain hidden on its victims' pages for months.
RiskIQ has reached out to both victim organizations to alert them to the compromise and offer assistance but has received no response. Soon after our initial outreach to CAC, we stopped observing the skimmer on their site, and a recent manual check turned up no skimming code. However, we are currently unable to confirm whether or not CAC took specific action to remediate the compromise. Our reviews of Bosley's website showed the skimmer still in place.
Be sure to check-in on RiskIQ's Threat Intelligence portal as we continue to track Magecart and publish everything that can help you defend your organization. For the full report on the new Meyhod skimmer, including IOCs, visit the intelligence card here.